Вы находитесь на странице: 1из 4



M easures are available to miti- gate the money laundering and terrorist financing (ML/ TF) risks to legal practices (all

structures) and practitioners. 1 As all practitioners face ML/TF risks, not just those who will be regulated by the Anti-Money Laundering & Counter-Terrorism Financing Act 2006 (Cth) (AML Act) and the Anti-Money Laundering & Counter-Terrorism Financing Rules 2007 (Cth) (Rules), these measures should be universally considered. Practices regulated by the AML Act (regu- lated practices) will be obliged to implement these measures. 2 The majority of the meas- ures should be identifiable in a competently run practice. If the current systems in a practice are used and built on, it may be that the mitiga- tion of ML/TF risks, and complying with the AML Act, will be less problematic than





envisaged. As Tranche Two has yet to be finalised, there may be changes to the obli- gations under the AML Act.

The major obligations under the AML Act

At the outset it is important to outline the major obligations which may apply to regu- lated practices, namely, to:

identify and “know your client” and to collect and verify identification information;

undertake ongoing client due diligence throughout the retainer;

report suspicious matters to the Australian Transaction Reports and Analysis Centre (AUSTRAC);

retain records for defined periods; and

adopt an anti-money laundering/ counter-terrorism financing (AML/CTF)


These obligations will apply to practices which provide “designated services”. Desig- nated services have yet to be finalised, but will most likely reflect the Financial Action Task Force (FATF) Recommendation 12 3 for lawyers when they prepare for or carry out transactions for clients concerning the following activities:

buying and selling of real estate;

managing of client money, securities or other assets;

management of bank, savings or securities accounts;

organisation of contributions for the creation, operation or management of companies; and

creation, operation or management of legal persons or arrangements, and buying and

selling of business entities.




The risk-based approach

The AML/CTF framework under the AML Act is a risk-based approach, ensuring “that measures to prevent or mitigate [ML/TF] are commensurate to the risks identified, allow[ing] resources to be allocated in the

most efficient way [and] that the greatest risks receive the highest attention”. 4 This will allow a regulated practice to leverage off existing risk management systems and

to design its AML/CTF program to its own

unique risk profile. However, the internal systems and controls, once designed, should be prescriptive, allowing for ease of use by the fee-earners and staff. The risk-based approach will require a regulated practice to identify, manage and mitigate the risk reasonably faced with providing designated legal services to clients that might (inadvertently or otherwise) involve or facilitate money laundering or financing of terrorism: ss84 and 85.

AML/CTF program

A regulated practice will be required to have,

and to comply with, an AML/CTF program:

ss81 and 82. An AML/CTF program has two parts: Part A – general; and Part B – client identification: s84. A non-regulated practice could consider using these as a basis for an AML/CTF program. Part A relates to the identification, manage- ment and mitigation of the ML/TF risks that the regulated practice may reasonably face, including (Ch 8):

ensuring systems are in place to assess the ML/TF risk of designated legal services provided;

screening staff prior to employment and ongoing screening;

training staff in ML/TF risks, internal systems and processes, and the conse- quences of non-compliance; and

ongoing client due diligence, including the monitoring of client matters. Part B relates to client identification proce- dures and includes (Ch 4):

establishing methods for identifying clients (and their agents), to enable the regulated practice to be reasonably

satisfied that a client is who they claim to be; 5 and

collecting and verifying minimum “know your customer” (KYC) information.

ML/TF risk assessments

To identify the ML/TF risks, an ML/TF risk assessment (RA) must be undertaken. The RA will provide the basis for the AML/CTF program. A robust ML/TF risk assessment process, and ongoing ML/TF risk manage- ment, can be built into a practice-wide risk management system. The RA is the identification and analysis of the ML/TF risks before those risks can be mitigated and managed. An RA should not be too onerous to undertake, especially as a practice should undertake similar exercises with regard to risk management in general. Also, guidance is available to assist practi- tioners in understanding and undertaking an RA. 6 RAs on client instructions are a task that most practitioners execute. Any ML/TF RA should encompass the whole practice, not just the regulated practice areas. The factors to be considered in an RA include business and regulatory risks such as (Ch 8):

the ML/TF risk profile of the firm’s clients;

the ML/TF risk of the type of designated legal services provided to clients;

the methods by which those designated legal services are delivered (face-to-face or non face-to-face etc.);

the ML/TF risk profiles of the foreign jurisdictions with which it deals; and

risks resulting from the provision of desig- nated services through permanent offices in foreign countries.

Business risks

Client risk factors

Clients with the following ML/TF risk indi- cators may pose a higher risk to a practice:

cash businesses with the potential to co-mingle legitimate and illegitimate


complicated business structures which make it difficult to ascertain the real or beneficial owners;

complex, unusual or uneconomic transac- tions; and

no underlying legal service. These client ML/TF risks are closely aligned to the risks overall faced by a prac- tice. If a practice keeps potential high risk clients from becoming clients, it reduces the overall risk profile of the practice and the ML/TF risk.

Legal services risk factors

Certain areas of legal practice are more susceptible to use by money launderers or terrorist financiers. These areas relate to financial, property and business-type trans- actions and include:

property transactions;

complex financial transactions;

complex company or trust arrangements which obscure beneficial ownership; and

cash transactions. The more complex and opaque a trans- action, the more difficult it is for law enforcement agencies to understand the underlying transaction and to trace the source of the underlying funds.

Geographic risk factors

A practice must consider the ML/TF risks emanating from jurisdictions in which it does business. Jurisdictions with a higher ML/TF risk can be ascertained from govern- ment agencies. 7 There are also ML/TF risks from local and national geographic areas. These are prob- ably more significant to practitioners. For example, does an area where the practice’s clients reside have a high crime rate or a high rate of mortgage fraud? Within these locations there is the potential that clients may possess, and attempt to use, money or property that is the proceeds of crime. 8

Delivery channel risk factors

There are ML/TF risks in delivering desig- nated legal services to non face-to-face clients,

agents, and via online delivery methods.







Regulatory risks

A regulated practice faces regulatory risk

by breaching the civil penalty provisions of

the AML Act. These include: failure to report

a suspicious matter (s41); failure to keep

records (Pt 10); and failure to identify a client (Pt 2). Regulatory risk is mitigated by putting systems and controls in place to ensure that these obligations are not breached and by auditing those systems.

Result of the RA

The outcome of the RA will be informa-

tion which will allow the practice to rank the ML/TF risks as high, medium or low. The ranking is the product of the chance

of the risk happening (likelihood) and the

impact if the risk happened (consequence). After ranking, an informed decision can be made as to the risk mitigation strategy and controls. One mitigation strategy for high risks may be to stop providing a service or servicing a segment of clients. Alternatively, high risk services and/or clients may have extra controls placed on them. The practice may accept all the low and medium ML/TF risks, but place extra controls around the medium risks.

Ongoing RAs

After the initial RA it is important to under- take regular ongoing reviews of the RA. There is an obligation, and best practice for those non-regulated practices, to assess the ML/TF risk posed by:

all new designated legal services (e.g. new practice areas);

all new methods of delivery of designated legal services; and

all new technologies used for the provision of designated legal services: Ch 8.

Key controls – prevention

Know your client and client acceptance procedures

Client acceptance and due diligence is an integral part of the process of forming a

contract of retainer, and a key element of

a practice’s risk management strategy.

KYC and client identification procedures are obligations in an AML/CTF program and key controls: AML Act Pt 2; Rules Ch 4.





The concepts are complementary. Client acceptance procedures include:

identifying the client, who is providing the instructions, and the extent of those instructions;

assessing client risk, including ML/TF risk; politically exposed persons (PEP) risk; 9 prohibited persons subject to sanc- tions risk; conflicts of interest; client financial risk;

location – does the client come from a jurisdiction or area with a higher ML/TF risk?;

work type – does the practice carry out the type of work required?;

the ability and capacity of the practice to do the work to the required standard in the timeframe available;

the client accepting standard, and AML- related, terms and conditions; and

the overall terms of the retainer.

Ongoing client due diligence

Ongoing client due diligence (OCDD) is the obligation to monitor clients with a view to identifying, mitigating and managing any ML/TF risk reasonably faced when providing designated legal services: s36. OCDD obligations are:

systems to determine whether the collection of further KYC information is necessary;

a transaction monitoring program; and

enhanced client due diligence (ECDD): Ch 15


ECDD involves extra procedures that a prac- tice would adopt when a client or matter meets certain defined risk criteria. In the context of legal practice it may be that ECDD will already be standard practice around retainer management. If a practice has robust client and matter acceptance proce- dures, they will most likely cover the ECDD requirement. ECDD may arise in situations where the client is new, is a non face-to-face client or a PEP. ECDD must be applied when a regulated practice:

determines that there is a higher ML/TF risk; or

a suspicion has arisen under s41: Ch 15

Employee due diligence

Employee due diligence (EDD) is important, as there have been instances of launderers or

terrorist financiers seeking and/or gaining

help from inside organisations to assist and facilitate ML/TF. EDD ensures that a regu- lated practice will:

determine whether and how to screen any prospective staff member who, if employed, may be in a position to facilitate an ML/TF offence;

determine whether and how to re-screen a staff member whose role changes and thereafter may be in a position to facilitate an ML/TF offence; and

manage any staff member who fails to comply with the AML/CTF program:

(Ch 8.3). All staff members, including accounts staff, fee-earners, solicitors and partners, should be considered for EDD as there are ML/TF risks at all levels.

Staff education and awareness

One of the most important and effective controls against ML/TF risk is the education and awareness of staff: Ch 8.2. Staff includes partners, solicitors, other fee-earners and support staff. They all need to know and understand, to differing degrees, what ML/TF is, the ML/TF risk to the practice, the AML regulatory regime and the AML/ CTF program. Accounts staff are of partic- ular importance as they are the gateway to the practice’s banking. Launderers have been known to try to deal directly with accounts staff in an attempt to circumvent practitioners.

Key controls – detection

Transaction monitoring


transaction monitoring program (TMP)


a requirement for Part A: Ch 15. A TMP

in the context of a legal practice means ensuring that partners and fee-earners monitor matters/transaction when desig- nated legal services are being provided, to identify, having regard to ML/TF risk, any transaction that appears to be suspcious within the terms of s41. A TMP does not necessarily require an IT monitoring system; this is especially so in a legal practice where practitioners are knowledgeable about their clients and their legal affairs. Once a poten-

tially suspicious matter is identified, the appropriate internal reporting and investi-

gation procedures must be carried out.


Suspicious matter reporting

Suspicious matter reporting (SMR) (s41) is the most controversial obligation under the AML Act as it impinges on the duty of client confidentiality. The only defence to the SMR

obligation will be claiming legal professional privilege, not client confidentiality: s242. If


regulated practice forms a suspicion on

reasonable grounds, a subjective and objec- tive standard, 10 it must report to AUSTRAC

within 24 hours for TF suspicions and three days for all others: s41(2). Practices will need


train all relevant staff to be aware of what

is potentially suspicious. Robust systems are required to get the internal reports to the Anti-Money Laundering Compliance Officer (AMLCO) for investigation as the reporting

times externally are short. The AMLCO will need to investigate and record the findings, whether or not the suspicion was reported.

Fraud surveillance

Although not an AML Act obligation, it would be considered best practice to adopt fraud surveillance systems, especially to identify mortgage and power of attorney fraud.

Other obligations and controls

Record-keeping requirements

Records of designated services, transactions and KYC procedures must be kept for seven years: Pt 10. In the case of KYC records, this is seven years from the end of the client relationship: s113(2). Currently, files must be kept for a minimum of seven years, and many practices keep files for considerably longer, so some of these requirements may be met with relative ease. Care must be taken when the client relationship is ongoing. Records must be kept of the adoption and retention of the AML/CTF program:

s116. This encompasses the initial RA itself and ongoing RAs. Under the risk-based

system, it will be for the practice to justify the reasonableness of its decisions, systems and processes to AUSTRAC or, potentially, a court. It is important to keep records of RA decisions throughout a matter, including matter opening and periodic assessments.

A contemporaneous note is best practice.


There is an obligation to independently audit, internally or externally, the AML/ CTF program: Ch 8.6. A good risk manage- ment system will provide for auditing and review of the system. Practices should carry out an annual risk audit which includes the AML/CTF program. A practice’s ML/TF risk profile will change over time, just as its overall risk profile changes. Partners need to know and understand the risks to allow for strategic risk decisions to be made. The audit findings should be included in the annual AML report to the partners. AML-related checks can be incorporated

in general file auditing. Is the client accept-

ance and file opening procedure being circumvented? Do fee-earners and staff know and understand the overall file opening procedure and the importance of the AML checks? Is the ML/TF risk being considered through the life span of the matter or client



The AMLCO will be a vital role, both stra- tegic and operational, and therefore should be a partner with seniority who knows and understands the risk profile of the practice: Ch 8.5. The AMLCO has many responsibilities, the most important being decision making around reporting, both internally and externally; audit and review

of the AML program; and staff training. 11

A good AMLCO could save a practice from

criminal prosecution or regulatory action, save its reputation and ensure its continued




robust AML/CTF program based on a

thorough ML/TF risk assessment and linked


the current risk management system will

provide an effective method to mitigate the

ML/TF risks reasonably faced by a prac- tice. It may also help improve overall risk management.

PADDY OLIVER is a lawyer, management consultant and director of legal risk with SSAMM Management Consulting. He has worked extensively in the areas of risk management, compliance and anti-money laundering for both legal and financial services organi- sations in Australia and the UK.

Parts and sections in this article refer to the Anti-Money Laundering & Counter-Terrorism Financing Act 2006 (Cth) and chapters refer to the Anti-Money Laundering & Counter-Terrorism Financing Rules 2007 (Cth).


This article is a sequel to the author’s article “Danger

in the laundry: risks for all under money laundering laws” (2008) 82(11) LIJ 62. All opinions expressed are those of the author and are based on materials publicly available.


Practitioners are currently regulated by the Financial

Transactions Reports Act 1998 (Cth) (FTRA), requiring

reporting of cash payments over $10,000, and will continue to be so regulated until the AML Act super- sedes the FTRA in relation to practitioners.


FATF, Forty Recommendations on Money Laundering,

2003, http://fatf-gafi.org/pdf/40Recs-2003_en.pdf.


FATF, Guidance on the Risk Based Approach to AML,

June 2007, para 1.7.


It is arguable that practitioners should actually know

who the client is before forming a retainer.


AUSTRAC Guidance Note, Risk Management and

AML/CTF Programs; AS4360:2004, Risk Management.


Department of Foreign Affairs & Trade; US State


8. Criminal Code Act 1995 (Cth), Div 400.

9. PEPs are foreign high-ranking government or military

officials, their family members and close associates.

Names of PEPs and prohibited persons are available from government and commercial “watch lists”.


AUSTRAC, Public Legal Interpretation No 6 of 2008:

Suspect transactions and suspicious matters, para 56.


AUSTRAC Guidance Note, AML/CTF Compliance

Officers, 08/02.

The Holmes List L Paul Holmes Barristers Clerk BARRISTERS OF THE VICTORIAN BAR The Holmes
The Holmes List
Paul Holmes
Barristers Clerk
The Holmes List welcomes the following Readers:
Ground Floor,
555 Lonsdale Street, Melbourne
Ph 03 9225 6444
03 9225 6464
88 Melbourne
Email paulholmes@vicbar.com.au
Website www.holmeslist.com.au
Mobile 0417 362 010
Licensed by the Victorian Bar since 1992